Information Security Policy

Sponsor:

 Chief Information Officer

Contact:

 Information Security Officer

Category:

 Information Security and Technology

Number:

 1000.015

Effective Date:

 1/2023

Implementation History:

 First version 1/2023

Keywords:

 Information security, data privacy, sensitive information, data, protection, disaster recovery.

Background Information:

The mission of SUNY Empire’s Information Security Program is to preserve the confidentiality, integrity, and availability of SUNY Empire information assets, in accordance with the Information Security Policy. The Information Security Program serves as the institution’s mechanism to appropriately identify, select, maintain, and improve information security controls.

The protection of information assets owned or managed by SUNY Empire is not the sole responsibility of the Information Security Program. In order to create a holistic and secure environment, multiple programs must work together within clearly defined responsibilities.

This policy was developed for compliance with SUNY Policy 6900 and more specifically, SUNY Policy 6608. The first draft of this policy was created in January of 2023 and supersedes any preceding policy or internal documentation regarding an information security program.

Purpose

The purpose of this policy is to assist the organization in its efforts to fulfill its fiduciary responsibilities relating to the protection of information assets to comply with regulatory and contractual requirements involving information security and privacy. This policy framework consists of eighteen (18) separate policy statements, with supporting Standards documents, based on guidance provided by the National Institute of Standards and Technology (NIST) Special Publication 800-171.

Roles and responsibilities will be established to ensure the maintenance and a continual improvement of SUNY Empire’s Information Security Program. Information Security Advisory Group members will implement documented controls and ensure compliance with the Information Security Program in their respective divisions, departments, and/or units of the university.   

Although no set of policies can address every possible scenario, this framework, taken as a whole, provides a comprehensive governance structure that addresses key controls in all known areas needed to provide for the confidentiality, integrity, and availability of the organization’s information assets. This framework also provides administrators guidance necessary for making prioritized decisions, as well as justification for implementing organizational change.

The scope of this policy includes all information assets governed by the organization. All faculty, staff, student workers, interns, and service providers who have access to or utilize assets of the organization, including data at rest, in transit or in process shall be subject to these requirements. This policy applies to:

  • All information assets and IT resources operated by the organization.
  • All information assets and IT resources provided by the organization through contracts, subject to the provisions and restrictions of the contracts; and
  • All authenticated users of SUNY Empire information assets and IT resources.

Definitions

Authorized Users – faculty, staff, and students are authorized users of SUNY Empire information systems.

Chief Information Officer (CIO): The Chief Information Officer is accountable for the implementation of the Information Security Program including Security policies, standards, and procedures.  Security compliance including managerial, administrative, and technical controls.  The Chief Information Officer is to be informed of information security implementations and ongoing development of the Information Security Program design.

Information Security Advisory Group: A cross-functional, management committee. The responsibilities of the Information Security Advisory Group and members are defined in the Information Security Governance Plan policy.

Information Security Officer (ISO):  Responsible for the development, implementation, and maintenance of a comprehensive Information Security Program for SUNY Empire.  This includes security policies, standards, and procedures which reflect best practices in information security.

Information Security Program (ISP) – a collection of initiatives that form the basis for any cyber security plan involving confidential data.

Family Educational Rights and Privacy Act (FERPA) – The Family Educational Rights and Privacy Act of 1974, as amended, (“FERPA” or “Act”) was designed primarily to ensure that educational records would be maintained in confidence and available to eligible students for inspection and correction when appropriate and that any such recorded information would not be made freely available to individuals outside the school without consent or as otherwise allowed by law.

Gramm-Leach-Bliley Act of 1999 (GLBA) – US law that applies to financial institutions and includes privacy and information security provisions that are designed to protect consumer financial data.  This law applies to how higher education institutions collect, store, and use student financial records, records regarding tuition payments and/or financial aid, containing personally identifiable information.

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2 – Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations.  CUI is defined, common types of data in higher education that “may” be called CUI, and what institutional information should be “out of scope.”  When CUI is shared by the federal government with a nonfederal entity and when no other federal law or regulation addressed how to protect the underlying data.  CUI could include data received as part of a research grant or data received to conduct business, e.g., student financial aid information.

Written Information Security Program (WISP): A document detailing a description of the complete manner in which a company implements the administrative, technical, or physical safeguards in place to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle member information.

Information Security Advisory Group: A cross-functional advisory group that is associated with the tactical management of the information security objectives handed down by the Cabinet.

Security Incident: An event which an unauthorized party impacts the confidentiality, integrity, or availability of information systems, processes, or operations

Statements

The SUNY Empire Security Program is framed on National Institute of Standards and Technology (NIST) and controls implemented based on the Center for Internet Security (CIS) Critical Security Controls priorities. SUNY Empire must develop appropriate control standards and procedures required to support the organization’s Information Security Policy. This policy is further defined by control standards, procedures, control metrics, and control tests to assure functional verification.

The SUNY Empire Security Program is based on NIST Special Publication 800-171. This publication is structured into 14 control groupings, herein referred to as Information Security Standards. These Standards must meet all statutory and contractual requirements.

Access Control (AC)

SUNY Empire must limit information system access to:

  • Third parties if there is a legitimate institutional need to do so. SUNY Empire may share your Personal Information with the following recipients:
  • With SUNY System Administration and other campuses within the SUNY System in order to govern, administer, and improve the SUNY system.
  • With SUNY Empire's affiliated entities including the Research Foundation for the State University of New York, individual campus foundations, campus faculty student associations, and other affiliated entities in order to provide ancillary services.
  • With SUNY Empire's service providers that need access to your Personal Information in order to provide SUNY Empire with services necessary to fulfill SUNY Empire's mission or improve the SUNY Empire student or employee experience.
  • With accrediting agencies in order to obtain or maintain accreditations for SUNY Empire's and its affiliates various programs.
  • With the Federal, State, and local governments or regulatory authorities as required by law or as necessary to fulfill the mission of SUNY Empire.
  • Please note that the University may provide anonymized data developed from Personal Information to third parties, such as government entities and research collaborators,

Awareness and Training (AT)

SUNY Empire must:

  • ensure that supervisors and users of information systems are required to complete annual training of the security risks associated with their activities and of the applicable laws, directives, policies, standards, instructions, regulations, or procedures related to the security of organization information systems; and
  • ensure that personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.

Audit and Accountability (AU)

SUNY Empire must:

  •  create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity on protective enclave systems, specific to confidential data and confidential networks, at a minimum; and
  • ensure that the actions of individual information system users can be uniquely traced for all restricted systems.

Assessment and Authorization (CA)

SUNY Empire must:

  • periodically assess the security controls in organization information systems to determine if the controls are effective in their application;
  • develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organization information systems;
  • authorize the operation of the organization’s information systems and any associated information system connections; and
  • monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Configuration Management (CM)

SUNY Empire must:

  • establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, supported firmware, and documentation) throughout the respective system development life cycles; and
  • establish and enforce security configuration settings for information technology products employed in organizational information systems.

Contingency Planning (CP)

SUNY Empire must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for the organization’s information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.

Identification and Authentication (IA)

SUNY Empire must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to SUNY Empire information systems.

Incident Response (IR)

SUNY Empire must:

  • establish an operational incident handling capability for organization information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and
  • track, document, and report incidents to appropriate organization officials and/or authorities.

Governance Plan (GP)

The Information Security Program is led by an Information Security Officer (ISO). The Information Security Program is governed by the Information Security Advisory Group.

Cabinet Responsibilities

  • Ensures the Information Security Program’s continuing adequacy, effectiveness, and efficiency.
  • Responsible for the final determination of risk acceptance or mitigation, should there be conflict of opinions between the Information Security Program, the Information Security Advisory Group.

Information Security Advisory Group Responsibilities

SUNY Empire shall institute an Information Security Advisory Group. The Information Security Advisory Group is a cross-functional, management committee. The responsibilities of the Information Security Advisory Group are as follows:

  1. Report the status and direction of the Information Security Program to the Cabinet.
  2. Review and recommend strategies related to the Information Security Program.
  3. Review and approve information security policies and standards, and other supporting documentation.
  4. Approve and maintain oversight of the risk management process, including risk assessment methodology, risk acceptance criteria, residual and accepted risks;
  5. Review the Business Continuity Plan;
  6. Perform a full review of the Written Information Security Program (WISP);
  7. Approve actions to resolve issues identified during reviews in an effective and timely manner;
  8. Advise on year-over-year goals and priorities for the Information Security Program.
  9. Ensure compliance with all Information Security Program requirements, policies, standards, and procedures; and
  10. Review findings results from various audits and assessments
  11. Oversee implementation of remediation plans to ensure high priority risks have been resolved.

Core members will include the following campus titles:

  • Chief Information Officer
  • Information Security Officer
  • Director for Student Accounts
  • Director of Compliance
  • University Registrar

Additional members will include:

  • Director of Enterprise Systems and Infrastructure
  • Managing Director University-wide Project Management
  • Director of Financial Aid
  • Controller
  • Director of Business Analytics
  • Director of Administrative Applications
  • Director of Human Resources or designee
  • Representation from Student Success

Membership will be reviewed annually and is subject to change.

Information Security Officer (ISO) Responsibilities

To establish and maintain the Information Security Program, the ISO will assure that the following responsibilities are carried out:

Measurement and Effectiveness, Including:

  1. Vulnerability management.
  2. Security incident management team leadership.
  3. As requested, provide consulting services.
  4. Establish physical security parameters, in collaboration with the Safety & Security Office (SSO).
  5. Change Management
  6. Provide end users with the tools, resources, and communication necessary to protect SUNY Empire information technology services assets, including annual training as outlined in the Information Security Program.
  7. Ensure compliance with SUNY policy and guidelines related to Information Security, Internal Controls, and Risk Management as related to information technology.

Authorized User Responsibilities

  1. Understand and conform with the Acceptable Use Policy and all other applicable policies, standards, procedures, and guidance instructions.
  2. Protect and properly use all SUNY Empire assets made available to the End User; and
  3. Immediately communicate any detected security incident or anomaly through the respective channels and in accordance with the Information Technology Incident Response Policy.

Maintenance (MA)

SUNY Empire must:

  • perform periodic and timely maintenance on organization information systems; and
  • provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.

Media Protection (MP)

SUNY Empire must:

  • protect information system media, both paper and digital;
  • limit access to information-on-information system media to authorized users; and
  • encryption, where applicable,
  • sanitize or destroy information system media before disposal or release for reuse.

Physical and Environmental Protection (PE)

SUNY Empire must:

  • limit physical access to information systems, equipment, and the respective operating environments to authorized individuals;
  • protect the physical plant and support infrastructure for information systems;
  • provide supporting utilities for information systems;
  • protect information systems against environmental hazards; and
  • provide appropriate environmental controls in facilities containing information systems.

Planning (PL)

SUNY Empire must develop, document, periodically update, and implement security plans for organization information systems that describe the security controls in place or planned for the information systems. The college shall establish rules of behavior for individuals accessing the information systems.

Personnel Security (PS)

SUNY Empire must:

  • ensure that individuals who occupy positions of responsibility within the organization are trustworthy;
  • ensure that organization information and information systems are protected during and after personnel actions such as terminations and transfers; and
  • employ formal sanctions for personnel failing to comply with SUNY Empire security policies and procedures.

Risk Assessment (RA)

SUNY Empire must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.

System and Services Acquisition (SA)

SUNY Empire must:

  • allocate sufficient resources to adequately protect organization information systems;
  • employ system development life cycle processes that incorporate information security considerations;
  • employ software usage and installation restrictions; and
  • ensure that third-party providers employ adequate security measures, as defined by federal and state law and contract, to protect information, applications, and/or services outsourced from SUNY Empire.

System and Communications Protection (SC)

SUNY Empire must:

  • monitor, control, and protect organization communications (i.e., information transmitted or received by organization information systems) at the external boundaries and key internal boundaries of the information systems for confidential data transmissions; and
  • employ architectural designs, software development techniques, encryption, and systems engineering principles that promote effective information security within organization information systems.

System and Information Integrity (SI)

SUNY Empire must:

  • identify, report and correct information and information system flaws in a timely manner;
  • provide protection from malicious code at appropriate locations within organization information systems; and
  • monitor information system security alerts and advisories and take appropriate actions in response.

Program management (PM)

SUNY Empire must implement security program management controls to provide a foundation for the organizational Information Security Program.  

Enforcement

Enforcement is the responsibility of the institution’s President or Chief Information Officer (CIO). Users who violate this policy may be subject to discipline up to and including termination consistent with the terms and conditions of any applicable Collective Bargaining Agreement, if any. The institution may temporarily suspend an account when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the institution or other computing resources or to protect SUNY Empire from liability.

Exceptions to the policy may be granted by the Chief Information Officer (CIO), or by his or her designee.  All exceptions must be reviewed annually.

Applicable Legislation and Regulations

The Gramm - Leach Bliley Act (GLBA)

Family Educational Rights and Privacy Act (FERPA)

General Data Protection Regulation (GDPR)

New York State Information Security Breach and Notification Act

NIST 800-171 Rev 2

FIPS-199

Related References, Policies, Procedures, Forms and Appendices

Enterprise Data Classification Policy

Technology Acceptable Use Policy

Record Retention Policy

SUNY Policy 6608, Information Security Guidelines: Campus Programs & Preserving Confidentiality

SUNY Policy 6900, Information Security Policy